security | security misc

Security

wapiti
Install web vulnerability scanner wapiti:
sudo apt-get install wapiti
Scan a website and generate html output:
wapiti https://example.com -u -n 30 -b folder -f html
To rescan or use a previously generated xml file or recover from crash, use -k flag:
wapiti https://example.com -u -n 30 -b folder -f html -k
Reference: sourceforge limsi
Backup and edit config:
sudo cp -v /etc/nginx/nginx.conf /etc/nginx/nginx.conf.old sudo nano /etc/nginx/nginx.conf
To stop showing nginx version number, add the following line to server segment of config:
server_tokens off;
Disable unwanted HTTP methods. Add following under server block:

if ($request_method !~ ^(GET|HEAD|POST)$ )
{
       return 405;
}
Limit rate and connection per an IP address at a time. Refence:   axivo   nginx   (Note: One megabyte 1m zone can keep about 32 thousand 32-byte states or about 16 thousand 64-byte states. If the zone storage is exhausted, the server will return the 503 (Service Temporarily Unavailable) error to all further requests.)

http {
         limit_conn_zone $binary_remote_addr zone=alpha:8m;
         limit_req_zone  $binary_remote_addr zone=delta:8m rate=30r/s;
...

server {
         limit_conn alpha 15;
         limit_req  zone=delta burst=80 nodelay;  
...
Or limit a single page:

http {
         limit_req_zone $binary_remote_addr zone=blitz:10m rate=30r/s;
...

server {
         location = /login.html {
          limit_req zone=blitz nodelay;
         } 
...
Control Buffer Overflow Attacks by putting the following lines in the server context:
client_body_buffer_size 12k; client_header_buffer_size 2k; client_max_body_size 5k; large_client_header_buffers 2 2k;
Set proper Timeouts:
client_body_timeout 12; client_header_timeout 12; keepalive_timeout 15; send_timeout 10;
Static File Caching (in server context):

location ~* .(jpg|jpeg|png|gif|ico|css|js|svg)$ {
   expires 30d;
}
If you discover that DDoS attack requests have a User-Agent header value of foo or bar, you can block those requests (server context).

    if ($http_user_agent ~* foo|bar) {
        return 403;
    }
Check that agent blocking works:
curl -I -H 'User-agent: Bloglovin' http://mysite.com
GeoIP block. First put the following in http context:
geoip_country /etc/nginx/GeoIP.dat;
Next, let’s tell Nginx which countries are gonna be blocked (server context): 

if ($geoip_country_code ~ (CN|KR|UK) ) {
  return 403;
}
Image hotlink protection (in server context). Reference:   htpcbeginner   nodotcom  

location ~ .(gif|png|jpeg|jpg|svg)$ {
     valid_referers none blocked .my_good_domain.com;
     if ($invalid_referer) {
        return   403;
    }
}
Deny execution of scripts inside certain directories. (in server context). Reference:   scalescale  

location ~* /(images|cache|media|logs|tmp)/.*.(php|pl|py|jsp|asp|sh|cgi)$ {
    return 403;
    error_page 403 /403_error.html;
}

Reference:   nginx-ddos   nginx-performance   nginx-pitfalls   cyberciti   takeshiyako   


user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 30 10;
        types_hash_max_size 2048;
        server_tokens off;

        client_body_timeout 10;
        client_header_timeout 10;
        send_timeout 10;

        client_body_buffer_size 2k;
        client_header_buffer_size 2k;
        client_max_body_size 5k;
        large_client_header_buffers 2 2k;

        open_file_cache          max=10000 inactive=2m;
        open_file_cache_valid    2m;
        open_file_cache_min_uses 1;
        open_file_cache_errors   on;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;

        limit_conn_zone $binary_remote_addr zone=alpha:8m;
        limit_req_zone  $binary_remote_addr zone=delta:8m rate=30r/s;
}
Find, backup and edit config:
php -i | grep php.ini sudo cp -v /etc/php/7.0/fpm/php.ini /etc/php/7.0/fpm/php.ini.old sudo nano /etc/php/7.0/fpm/php.ini
(Check also /usr/lib/php)
Restart PHP:
sudo service php7.0-fpm restart
If the website does not have file uploads, you can allow smaller POST size:
file_uploads = 0 post_max_size = 10K
Change time a script is allowed to parse input data:
max_input_time = 40
Change the maximum amount of memory a script may consume:
memory_limit = 36M
How many input variables may be accepted (applied to $_GET, $_POST and $_COOKIE):
max_input_vars = 20
To stop showing php version:
expose_php = 0
PHP error handlling:
error_reporting= E_ALL display_errors = off display_startup_errors = off log_errors = on report_memleaks = on
If there is no need for URL-aware fopen wrappers and include:
allow_url_fopen = 0 allow_url_include = 0
Performance Tuning. First read haydenjames and php.net
realpath_cache_size = 64k realpath_cache_ttl = 1600
Resctrict accessible directories:
open_basedir = /var/www/html/:/tmp/:/var/lib/php/sessions/:/mnt/zzzzzzz/
Disabling Functionality:

disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, dl, system, highlight_file, source, show_source, fpaththru, virtual
disable_functions = posix_mkfifo, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname
disable_functions = proc_open, proc_close, proc_get_status, proc_nice, proc_terminate
disable_functions = chdir, mkdir, rmdir, rename, fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file
disable_functions = shell_exec, set_time_limit, exec, phpinfo, chmod
Protect Sessions:
session.cookie_httponly = 1
Reference:   php.net   owasp   owasp